[Openswan Users] Openswan Linux Client to SonicWallWindows Server.

Fernando Blankleder fernandoblankleder at gmail.com
Thu Sep 28 09:15:51 EDT 2006 

Hi, im running 7 tunnels to a Sonicwall t170 Enhanced, with no problems at all, if you send the sonicwall configuration to the list i think that i can help you, im sending (attached) my Ipsec.conf, Ipsec.secrets and a screen capture of the sonicwall config


---------------------------- ipsec.conf ----------------------------------------------------------------------------------
version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup
 interfaces=%defaultroute
 # Debug-logging controls:  "none" for (almost) none, "all" for lots.
 klipsdebug=none
 plutodebug=none
 uniqueids=yes

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore

conn ToSonic
 type=tunnel
 auth=esp
 authby=secret
 auto=start
 pfs=yes
 dpddelay=60
 dpdtimeout=120
 dpdaction=clear
 left=%defaultroute
 leftsubnet=192.168.80.0/24
 right=xxx.xxx.xxx.xxx ( Sonicwall IP HERE )

 rightsubnet=192.168.1.0/24
 keyexchange=ike

conn ToSonicwall2
 type=tunnel
 auto=route
 auth=esp
 authby=secret
 pfs=yes
 keyingtries=1
 dpddelay=60
 dpdtimeout=120
 dpdaction=clear 
 left=%defaultroute
 leftsubnet=192.168.80.0/24
 right=xxx.xxx.xxx.xxx ( Sonicwall IP HERE )
 rightsubnet=192.168.3.0/24
 keyexchange=ike

conn ToSonicwall3
 type=tunnel
 auto=route
 auth=esp
 authby=secret
 pfs=yes
 keyingtries=1
 dpddelay=60
 dpdtimeout=120
 dpdaction=clear
 left=%defaultroute
 leftsubnet=192.168.80.0/24
 right=xxx.xxx.xxx.xxx ( Sonicwall IP HERE )
 rightsubnet=192.168.4.0/24
 keyexchange=ike

conn ToSonicwall4
 type=tunnel
 auto=route
 auth=esp
 authby=secret
 pfs=yes
 keyingtries=1
 dpddelay=60
 dpdtimeout=120
 dpdaction=clear 
 left=%defaultroute
 leftsubnet=192.168.80.0/24
 right=xxx.xxx.xxx.xxx ( Sonicwall IP HERE )
 rightsubnet=192.168.5.0/24
 keyexchange=ike

conn ToSonicwall5
 type=tunnel
 auto=route
 auth=esp
 authby=secret
 pfs=yes
 keyingtries=1
 dpddelay=60
 dpdtimeout=120
 dpdaction=clear 
 left=%defaultroute
 leftsubnet=192.168.80.0/24
 right=216.41.108.242
 rightsubnet=192.168.6.0/24
 keyexchange=ike

conn ToSonicwall6
 type=tunnel
 auto=route
 auth=esp
 authby=secret
 pfs=yes
 keyingtries=1
 left=%defaultroute
 leftsubnet=192.168.80.0/24
 right=xxx.xxx.xxx.xxx ( Sonicwall IP HERE )
 rightsubnet=192.168.7.0/24
 keyexchange=ike

conn ToSonicwall7
 type=tunnel
 auto=route
 auth=esp
 authby=secret
 pfs=yes
 keyingtries=1
 dpddelay=60
 dpdtimeout=120
 dpdaction=clear 
 left=%defaultroute
 leftsubnet=192.168.80.0/24
 right=xxx.xxx.xxx.xxx ( Sonicwall IP HERE )
 rightsubnet=192.168.8.0/24
 keyexchange=ike
 ------------------------------------------------------------------------------------------------------------------------
ipsec.secrets

: PSK "xxxxxxxxxxxxxxxxx" Same as in Sonicwall Textbox


---- Original Message ----- 
  From: Bas Driessen 
  To: Paul Wouters 
  Cc: users at openswan.org 
  Sent: Wednesday, September 27, 2006 7:28 PM
  Subject: Re: [Openswan Users] Openswan Linux Client to SonicWallWindows Server.


  On Wed, 2006-09-27 at 16:51 +0200, Paul Wouters wrote: 
On Wed, 27 Sep 2006, Bas Driessen wrote:

> Going through the lists, I found out that DES is not supported by
> default in OpenSwan, so I have re-compiled the package by setting the
> USE_WEAKSTUFF?=true flag in the Makefile.inc and also corrected the line
> to WEAK_DEFS=-DUSE_VERYWEAK_DH1=1 -DUSE_1DES in the Makefile of Pluto.
> All compiles OK. I know that 3DES is better etc, but this is out of my
> control. I have to get it to work with the current setup.

You might also need to set USE_BROKEN=yes

3DES is not "better". 1DES is trivially brute forced. You have no VPN. You
better make sure your boss knows that, and gets it in writing, so that
you can blame management for this unwise decision.

>     left=%defaultroute
>     leftsubnet=192.168.1.0/24
>     leftid=192.168.1.13

> sonicwall.secrets
>
> 192.168.1.13 66.nnn.nnn.nnn : PSK "abcdef"

If your ip is actually 192.168.1.13 you cannot tunnel 192.168.1.0/24.
you cannot be at two places at once.


  Thanks Paul, I have changed my leftsubnet as follows:

  leftsubnet=192.168.1.13/32

  Still same failing results. All I need is to connect from a Linux PC as a client to a VPN tunnel.

  Will try the USE_BROKEN switch now.

  Thanks,
  Bas.






------------------------------------------------------------------------------


  _______________________________________________
  Users at openswan.org
  http://lists.openswan.org/mailman/listinfo/users
  Building and Integrating Virtual Private Networks with Openswan: 
  http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060928/04c00bdb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: general.GIF
Type: image/gif
Size: 29585 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060928/04c00bdb/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Network.GIF
Type: image/gif
Size: 30302 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060928/04c00bdb/attachment-0005.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proposals.GIF
Type: image/gif
Size: 31205 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060928/04c00bdb/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: advanced.GIF
Type: image/gif
Size: 31205 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060928/04c00bdb/attachment-0007.gif

More information about the Users mailing list